Given:
- Primary Asp MVC Client
- JavaScript client hosted in ASP MVC Core
- Asp Web Api
All authenticate using IdentityServer
Problem
For a regular user, auth runs with the asp kernel and the oidc client. I use the access token in the asp core to access the api.
Now the javascript function wants to access the authorized api and needs this access_token.
What is the best practice to have it in javascript I see primarily two options
1.) I do silent auth in javascript with the oidc client. (Feels like a duplicate work)
2.) I store access_token in a cookie where javascript can pick it up (pot. Unsecured)
3.) ( ) , /me/token, access_token
?